Re: Measuring PF/IPF Performance

[Nick Holland <nick@holland-consulting.net>]

md5@ghettohackers.net wrote:
> 
> hello fellow bsdr's,
> 
> What do people think the best way is to generate performance statistics using
> pf/ipf under OpenBSD?  Has anyone developed a *standard* way of setting up the
> test environment?  Seems like a lot of the commercial firewall companies have
> stats on their products like " we can examine 217Mbps worth of ip
> traffic " 'beat that :P' hehe.

The question seems simple, but is nonsense, unfortunately.  There is
no standard *usage environment*, so how can there possibly be a
standard test environment?

The only way to really find out if a product is going to measure up in
your environment is to see it in your environment, or hear from
someone you trust who has a very similar demand as you do (and you
expect to measure this...how?) and see their results...and hope they
really do have comparable usage.

Fortunately, your cost to test OpenBSD is about zero.  Your cost to
test Firewall-1 or any of the other commercial products with a "beat
that" number is...um...not zero.  8-)

I can cobble a demo up -- a pair of well-chosen ISA NICs, a 486/66,
16M RAM and show you how it can handle 4Mbps without breaking a sweat.

Henning Brauer can show you a real-world app where IPF running on a
highly tuned Athlon system with prime-quality parts can be brought to
its knees by far less traffic than that.

It all depends how you use it...anyone who tells you a firewall can be
summed up with one number is lying big time.

Packets per second matter more than bits per second, as it takes
virtually the same amount of work to figure out what to do with a
packet containing one byte as it does to pass a packet containing
thousands of bytes.
Simple rules are faster than complex rules.
The variations are endless.
Then there is the random factor: the users...

Nick.
-- 
http://www.holland-consulting.net